Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") explains, in plain language, how CLARUS® ("كلاروس") processes personal data on behalf of your laboratory when you use our Laboratory Information System. It is written to give you confidence: you remain in control of your data, we act only on your documented instructions, and we hold ourselves to recognised international and healthcare security standards.

This DPA is part of, and incorporated by reference into, the CLARUS® Terms of Service ("Terms"). It takes effect on 2026-06-26 and applies for as long as CLARUS® processes personal data for your laboratory. Capitalised terms used but not defined here have the meaning given to them in the Terms.

Because laboratories handle sensitive patient information, we have made this agreement specific and substantive rather than generic. Where a concept is summarised in the body, the binding technical and organisational detail is set out in the Annex at the end.

1.Scope and Relationship to the Terms

This DPA governs all processing of personal data that CLARUS® carries out for and on behalf of your laboratory ("you", "the Customer") in the course of providing the CLARUS® Laboratory Information System and related services (the "Services"). It applies to personal data entered into, generated by, or transmitted through the Services — including patient and health data — regardless of the deployment model (cloud, hybrid, or offline).

This DPA forms an integral part of the Terms. By accepting the Terms, or by using the Services, you and CLARUS® agree to be bound by this DPA. Where there is a direct conflict between this DPA and the general body of the Terms on the subject of personal-data processing, this DPA prevails to the extent of that conflict; in all other respects the Terms continue to apply in full.

This DPA reflects global best practice in data-processing arrangements, adapted for a regional (MENA and Africa) and healthcare audience. It is designed to operate alongside, and not to diminish, any mandatory data-protection or consumer-protection rights you or the relevant data subjects hold under applicable law.

2.Roles of the Parties — Controller and Processor

In respect of the patient and health data processed through the Services, your laboratory is the data CONTROLLER and CLARUS® is the data PROCESSOR. As Controller, you determine the purposes and means of processing patient data, you are responsible for the lawfulness of that processing, and you are responsible for establishing a valid legal basis (including, where required, patient consent) and for providing any notices to data subjects.

As Processor, CLARUS® processes patient data solely on your documented instructions and never for its own purposes. CLARUS® does not sell patient data, does not use it to train models for unrelated purposes, and does not combine it with data from other sources except as strictly necessary to deliver the Services you have configured.

For a limited category of data — namely the account, billing, and administrative information of the laboratory and its authorised users — CLARUS® acts as an independent Controller (for example, to manage your subscription, secure the platform, comply with its own legal obligations, and prevent fraud). That limited processing is governed by the CLARUS® Privacy Policy. This DPA's Processor obligations apply to the patient and health data described in Sections 3 and 4.

• Customer (the laboratory) = Controller of patient and health data.
• CLARUS® = Processor of patient and health data, acting on documented instructions.
• CLARUS® = independent Controller only for its own account, billing, security, and compliance data.

3.Subject-Matter, Duration, Nature and Purpose of Processing

Subject-matter. The subject-matter of the processing is the personal data submitted to or generated within the Services in connection with the operation of a medical laboratory — including patient registration, test ordering, sample tracking, results, reporting, and related clinical and operational workflows.

Duration. Processing continues for the term of your subscription and any agreed export or wind-down window thereafter, after which data is deleted or returned in accordance with Section 11. CLARUS® will not retain patient data beyond what is necessary to provide the Services or to meet a legal obligation.

Nature and purpose. The nature of the processing includes collection, recording, structuring, storage, retrieval, transmission (including via HL7, ASTM, and FHIR interfaces), display, and — on termination — deletion or return. The purpose is solely to provide, secure, maintain, and support the Services and to enable your laboratory to deliver diagnostic services to its patients. CLARUS® processes the data only as needed for these purposes and as instructed by you.

4.Categories of Data Subjects and Personal Data

The processing under this DPA concerns the following categories of data subjects: patients of the laboratory; laboratory staff and authorised users of the Services; and referring or treating physicians and other healthcare professionals whose details are recorded in connection with orders and results.

The categories of personal data include identification and contact details (for example name, identifiers, date of birth, sex, address, phone, email), order and visit data, sample and accession data, and — most significantly — special-category HEALTH data such as test orders, diagnostic results, clinical observations, and related medical information. The data may also include staff role and access information and physician contact and referral details.

Because the Services routinely process special-category health data, CLARUS® applies heightened safeguards to that data, including the technical and organisational measures set out in Section 6 and the Annex. You, as Controller, are responsible for ensuring that you have an appropriate legal basis for processing such health data.

• Patients — identifiers, demographics, and special-category health data (orders, results, clinical observations).
• Laboratory staff / users — identity, credentials metadata, role, and access/audit information.
• Referring physicians — name, contact details, and referral/order linkage.

5.Obligations of CLARUS® as Processor

CLARUS® will process patient data only on your documented instructions, including with regard to international transfers, unless required to act by a law to which CLARUS® is subject; in that case CLARUS® will, where legally permitted, inform you of that legal requirement before processing. Your instructions are given through the Terms, this DPA, the in-product configuration you choose, and any further written instructions you provide. If CLARUS® believes an instruction infringes applicable data-protection law, it will inform you without undue delay.

CLARUS® ensures that personnel authorised to process patient data are bound by appropriate confidentiality obligations (whether contractual or statutory) that survive the end of their engagement, and that access is limited to those who need it to deliver or support the Services. Personnel receive role-appropriate training on data protection, security, and the special sensitivity of health data.

CLARUS® will implement and maintain the technical and organisational measures described in Section 6 and the Annex, will assist you as set out in Sections 8 and 9, and will make available the information reasonably necessary to demonstrate compliance with this DPA as described in Section 12.

• Process only on documented instructions; flag instructions believed to be unlawful.
• Bind all personnel with access to confidentiality duties and least-privilege access.
• Provide role-based data-protection and security training, with emphasis on health data.
• Maintain the security measures, breach response, and assistance obligations in this DPA.

6.Security Measures — Summary

CLARUS® implements and maintains appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access — taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the elevated risk associated with special-category health data.

A summary of these measures includes encryption in transit and at rest, strict per-tenant isolation, role-based access control with least privilege, comprehensive audit logging, two-factor authentication, encrypted backups with disaster-recovery capability, and a structured vulnerability-management programme. The full, binding description is set out in the Annex (Technical and Organisational Measures).

CLARUS® reviews and, where appropriate, updates these measures over time to maintain a level of security appropriate to evolving risks. Any update will maintain or improve the overall level of protection and will not materially reduce the security of the Services during your subscription.

7.Sub-Processors

You provide a general authorisation for CLARUS® to engage sub-processors to support delivery of the Services. CLARUS® engages each sub-processor under a written contract that imposes data-protection obligations no less protective than those in this DPA, and CLARUS® remains fully responsible to you for the performance of its sub-processors' obligations.

The categories of sub-processors currently engaged include cloud hosting and infrastructure providers, payment and billing providers, and communications providers (for example, email, SMS, or messaging used for notifications). CLARUS® limits the data shared with each sub-processor to what is necessary for the relevant function.

CLARUS® will give you advance notice of any intended addition or replacement of a sub-processor that processes patient data, through the methods described in the Terms or a designated notice channel. You may object to a new sub-processor on reasonable, data-protection grounds within the notice period; the parties will work in good faith to resolve the objection, and if it cannot be resolved you may, as your remedy, terminate the affected Services in accordance with the Terms.

• Cloud hosting and infrastructure (per-tenant isolated environments).
• Payment and billing processing.
• Communications (email / SMS / messaging notifications).
• Advance notice of changes affecting patient data, with a documented right to object.

8.Assistance with Data-Subject Requests

Data subjects (for example patients, staff, or physicians) may have rights under applicable law to access, rectify, erase, restrict, port, or object to the processing of their personal data. As Controller, you are responsible for responding to those requests.

Taking into account the nature of the processing, CLARUS® will assist you with appropriate technical and organisational measures — and through the self-service tools available in the Services — to enable you to fulfil your obligation to respond to such requests. Where you are unable to action a request through the in-product tools, CLARUS® will provide reasonable additional assistance.

If CLARUS® receives a request directly from a data subject relating to data it processes on your behalf, CLARUS® will not respond to it directly (other than to acknowledge receipt where appropriate) but will, without undue delay, forward the request to you so that you can respond as Controller.

9.Personal-Data Breach Notification

CLARUS® maintains monitoring, detection, and incident-response procedures designed to identify and contain personal-data breaches. If CLARUS® becomes aware of a personal-data breach affecting patient data it processes on your behalf, it will notify you without undue delay, with the target of notifying you within 72 hours of becoming aware of the breach.

The notification will describe, to the extent known and as information becomes available, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. CLARUS® will provide further information in phases where it cannot all be provided at once.

CLARUS® will cooperate with you and take reasonable steps to assist in your investigation, mitigation, and remediation of the breach, and to support any notifications you are required to make to a supervisory authority or to affected data subjects. Notification of a breach is not an acknowledgement of fault or liability.

10.International Transfers and Safeguards

The Services settle billing in Egyptian Pound (EGP) and are operated primarily for laboratories in MENA (with Egypt as the primary market), the Gulf, the Maghreb, and Africa. Depending on the deployment model you choose and the location of the engaged infrastructure, personal data may be processed in, or transferred to, jurisdictions other than where your laboratory is located.

Where CLARUS® transfers personal data across borders, it will ensure that an appropriate transfer mechanism or safeguard recognised under applicable law is in place — such as adequacy recognition, standard contractual clauses or equivalent contractual protections, and supplementary technical measures (including encryption in transit and at rest and per-tenant isolation) — so that the protection afforded to the data travels with it.

Where your deployment requires data residency within a specific country or region, CLARUS® will, where supported by your plan and configuration, host and process patient data accordingly. Transfers to sub-processors are subject to the safeguards described in Section 7.

11.Deletion or Return of Data on Termination

You own your data, and CLARUS® is committed to no lock-in. Throughout your subscription and during the export window described below, you can export your data in open, interoperable formats — including HL7 and FHIR — so that you are never trapped on the platform.

On expiry or termination of the Services, CLARUS® will, at your choice, return the personal data to you and/or delete it. CLARUS® provides a defined export window after termination (as set out in the Terms or your order) during which you may retrieve your data before deletion. After the export window closes, CLARUS® will delete the personal data from active systems and, in due course, from backups in accordance with its backup-rotation cycle, save where retention is required by law.

On request, CLARUS® will confirm in writing that deletion has been completed in accordance with this Section. Data retained solely to meet a legal obligation will continue to be protected by the measures in this DPA for as long as it is retained, and will be processed only for that purpose.

12.Audits and Demonstrating Compliance

CLARUS® will make available to you the information reasonably necessary to demonstrate compliance with this DPA, including, where available, summaries of independent assessments, certifications, penetration-test results, and descriptions of its security controls and the measures in the Annex.

Where that information is not sufficient for your reasonable compliance needs, CLARUS® will allow for and contribute to audits, including inspections, conducted by you or an independent auditor mandated by you. Audits will be conducted on reasonable prior written notice, no more than once per year except where required by a supervisory authority or following a personal-data breach, during business hours, and in a manner that does not compromise the security, confidentiality, or availability of other customers' data.

The parties will each bear their own costs of an audit, agree scope and timing in good faith in advance, and treat all audit findings as confidential. Any third-party auditor must be bound by appropriate confidentiality obligations and must not be a competitor of CLARUS®.

13.Annex — Technical and Organisational Measures

This Annex sets out the technical and organisational measures CLARUS® maintains to protect personal data, with heightened safeguards for special-category health data. These measures are binding and are summarised in Section 6. CLARUS® may update individual measures over time provided the overall level of protection is maintained or improved.

The measures below operate together as a layered defence covering confidentiality, integrity, availability, and resilience of processing systems and services, and the ability to restore access to data in a timely manner after an incident.

• Encryption in transit — data protected with strong, industry-standard transport encryption between clients, the platform, and integrations (HL7 / ASTM / FHIR).
• Encryption at rest — patient and health data encrypted on storage media using strong, industry-standard algorithms and managed keys.
• Per-tenant isolation — each laboratory's data is logically isolated so that one tenant cannot access another tenant's data.
• Role-based access control and least privilege — access is granted by role on a need-to-know basis, regularly reviewed, and minimised.
• Audit logging — security-relevant events and access to patient data are logged to support traceability, monitoring, and investigation.
• Two-factor authentication (2FA) — supported and configurable to strengthen authentication for privileged and user access.
• Encrypted backups and disaster recovery — backups are encrypted, regularly taken, and tested, with documented disaster-recovery capability to restore service and data.
• Vulnerability management — ongoing patching, security testing (including periodic assessments), and a structured process to triage and remediate vulnerabilities.
• Personnel and organisational controls — confidentiality obligations, least-privilege provisioning/de-provisioning, and role-appropriate security and data-protection training.

14.Data Protection Impact Assessments & Prior Consultation

Because the Services routinely involve special-category health data, your processing may require a Data Protection Impact Assessment (DPIA). Taking into account the nature of the processing and the information available to us, CLARUS® will provide you with reasonable assistance to support any DPIA you carry out and any prior consultation you must undertake with a supervisory authority.

That assistance includes descriptions of the relevant processing operations, the technical and organisational measures in the security section and the Annex, and the categories of sub-processors and data flows involved — so that you, as Controller, can assess and document the risks of the processing.